Lab - Document Enterprise Cybersecurity Issues (Instructor

Version)
Instructor Note: Red font color or gray highlights indicate text that
appears in the instructor copy only.
Objectives
Part 1: Record your assessment of Athena's cybersecurity issues.
Part 2: Record the different types of assets owned by Athena.
Part 3: List the threats for each asset type.
Part 4: Recommend mitigation techniques to address each threat.
Note: This lab assumes you have basic knowledge of vulnerabilities, threats, and mitigation techniques.

Scenario
Athena Learning Incorporated is an educational service provider. Athena has two major lines of business:
course content creation and online learning services. Athena creates learning content and hosts learning
content. Athena also provides internet sales services that enable its partners to charge their students to
attend their courses.
Athena employs about 100 people in its headquarters office, and about 5 people each in its London and
Singapore offices. Because it provides content and delivery services globally, Athena must comply with
diverse privacy and security standards.
Athena serves as custodian for its own content and content that belongs to its partners. That content includes
text, graphic, video, and interactive assets. This content is the essential intellectual property of the company.
It also manages student account information including student registration, authentication, records, and
payment information. Athena manages its own SQL databases, some of which are connected to web portals.
The Athena network consists of mostly MS Windows and Apple IOS clients with a mix of Microsoft and Linux
servers to store business and employee records, learning content assets, and financial information, including
customer data. The hosts include various PC brands and models of varying age. Different versions of
operating systems are in use. Athena uses cloud services to deliver courses to the public, but must house
assembled courses on the internal network for creation and editing. When the courses become available, they
are mirrored to the cloud. Employees are permitted to use their personal phones and tablets for work. In
addition, some employees work from home, but require full network access to do so. Athena also hosts its
own DNS, email, and intranet services.
Athena employees use common office application software, custom applications, and tools that have been
created internally.
Athena provides access to parts of its internal network to its partners through a secure web portal. Clients are
able to preview their course content and deliver course assets to Athena for assembly in the Athena learning
management system. Students interact with the cloud-managed learning platform through their web account
logins.
In this lab, you will apply your knowledge of cybersecurity threats and mitigation techniques to a corporate
setting. You will read about a business, classify its assets, and then list the potential vulnerabilities and
threats that the business faces. Finally, you will recommend threat mitigation measures for the threats that
you identify.

 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com
Lab - Document Enterprise Cybersecurity Issues

Required Resources
 Devices with internet access

Instructions

Part 1: Record your assessment of Athena's cybersecurity issues.

Study the Scenario above about Athena Learning Incorporated. Focus on identifying the data, software,
hardware, and network assets that need to be protected to ensure that company is not impacted by various
types of threats that have been discussed in the course so far.
Use the tables below to record your answers.

Information/Data Assets Threats Mitigation

 data theft of protected

student personally identifiable information
information on servers  identity theft  encrypt stored data
 identity theft
 theft of credit card
student sales information information  encrypt stored data
 unauthorized access
learning content on course  data theft  strong authentication
delivery website  alteration of content  hardening of web application

customer assets during upload  data tampering  VPN

to Apollo  data theft  hashing of assets

data and services required by  data theft

work-at-home employees  data tampering  VPN
Blank Line, No additional information

Software Assets Threats Mitigation

 malware
 phishing
host operating  malicious websites
systems  security vulnerabilities
 exploits of unpatched
vulnerabilities
office applications  various application attacks
 data entry errors
SQL databases  XML or SQL injection
 vulnerable server software
web server software  cross-site scripting
in-house applications  various application exploits
 antivirus software
 block access to known
malicious sites
 user security training
 patching
 patching
 security policies regarding use
of unauthorized software
 data input validation
 patching
 secure software development
 strong input validation

 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5 www.netacad.com
Lab - Document Enterprise Cybersecurity Issues
Blank Line, No additional information
Physical Assets Threats
 power interruption
 hard drive failure
 other physical damage
desktop PCs  control access to facilities
 loss, theft, or damage
 hard drive failure
laptop PCs  other physical damage
 power interruption
 hard drive failure
File servers  physical damage
 power interruption
Networking  physical damage
equipment  unauthorized administrative access
Blank Line, No additional information
Network Assets Threats
IP services (DNS,
IMAP, DHCP)  DNS spoofing address spoofing
Connection to ISP  DoS, DDoS
 man-in-the-middle
 unauthorized access
 detect unauthorized network
wired LAN scanning
 man-in-the-middle
 unauthorized access
wireless LAN  roque access points
Blank Line, No additional information
Part 2: Record the different types of assets owned by Athena.
From the information in the Scenario, and your knowledge of business in general, fill in the first columns of
each table with the relevant assets that are owned by Athena. You should have at least three entries in each
table.
 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mitigation
 data backups
 power protection
 power protection
 badge-based or biometric access
control
 user security training
 antivirus
 host-based firewall
 regular data backups
 drive encryption
 physical access control
 power protection
 automated backups
 physically secure server room
 redundant servers
 power protection
 physically secure wiring closets
and equipment locations
Mitigation
 Next-generation firewalls capable
of deep packet inspection
 block external ICMP packets with
firewalls
 strong passwords
 use strong authentication and
encryption
 access point placement
 use tools to detect rogue access
points
 VPN for remote wireless users
Page 3 of 5 www.netacad.com
Lab - Document Enterprise Cybersecurity Issues

The different types of assets are defined as follows:

 Information/Data Assets - any data that is used by the company, in any of the three states of data. This
data could be Athena’s business data, Athena’s learning content, student sales and learning data, or
partner data.
 Software Assets - any software that is used by Athena, including commercial business applications,
operating systems, server software, database software, and custom software.
 Physical Assets - the physical devices, equipment, and other property that are used by Athena in the
course of their business.
 Network Assets - the types of networks and network connections that are hosted or used by Athena in
the course of its business.

Part 3: List the threats for each asset type.

a. Review the information that you have learned in this pathway regarding vulnerabilities and threats.
Question:

What is the difference between a threat and a vulnerability?

Type your answers here.

Vulnerabilities are weaknesses or characteristics of an asset that can result in damage to or loss
of those assets. Threats are the possible actions or events that exploit vulnerabilities. Threats can
be posed by people or nature.
[b.] Complete the second column of the table with threats that could exploit vulnerabilities for each asset that
you listed. There is usually more than one threat to each asset.

Part 4: Recommend mitigation techniques to address each threat.

Review the information that you have learned so far about ways to mitigate various cybersecurity threats.
Complete the third column of the table with mitigation techniques that can be done to avoid or limit the
damage caused by each potential threat.

Reflection
1. Why is it useful to categorize assets when identifying threats and mitigation techniques?

Type your answers here.

2. Classifying assets by type helps to organize thinking around what threats may exist. Otherwise, there
are so many assets that it is difficult to get started with the analysis.
Do some threats have the same or similar mitigation measures? Why is it important to note this?

 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5 www.netacad.com
Lab - Document Enterprise Cybersecurity Issues

Type your answers here.

3. Yes, some threats can be mitigated using the same means. For example, a system of updating host and
server software can help to mitigate threats to customer and company data. VPNs can encrypt data
uploaded to Athena’s servers by customers and can also protect assets sent to the cloud. Knowing
this helps guide the choice and implementation of threat mitigation solutions.
What have you learned about the application of knowledge of cybersecurity threats and mitigation techniques to
the context of a simulated organization?

Type your answers here.

Answer will vary. It should be apparent that a comprehensive cybersecurity program requires many
different types of measures that work to together to protect an organization’s diverse assets. There is
no single solution to protecting assets from the wide range of threats that exist in the world today.
End of document

 2021 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5 www.netacad.com